F-Droid and Google's Developer Registration Decree | F-Droid
F-Droid and Google's Developer Registration Decree | F-Droid
f-droid.org
F-Droid and Google's Developer Registration Decree | F-Droid - Free and Open Source Android App Repository
99 comments
-
-
Fucking google at it again. Straight up turning into apple.
-
You would wish Google would turn into Apple. AAPL at least has the decency of respecting some privacy.
Google, on the other hand, is an advertising company (not a tech company), selling all the people pocket size advertisement billboards named “Android” for years, and they’re taking the last step of seizing full control over it.
-
If you don't think Apple is profiting off your data for advertising, I have a bridge to sell you
-
-
-
Fdroid is just the best. Around half of the apps on my phone are from Fdroid and Izzy.
-
Why the Google identity check is completely useless:
Step 1: scammer acquires stolen id card
What's the difference between malware developed anonymously and malware developed anonymously but registered under a fake id? It can be installed today and it can be installed tomorrow. Do they really believe that malware developers will doxx themselves when publishing their malware?
-
This. Every day there is a new legitimate dataset of ids for sale on the internet. I have seen enough never to trust ids anymore
-
-
When Android stops working properly, I'll move back to a dumb/feature phone. My wife will hate it, but so be it.
-
Some friends and I were talking about the feasibility of that earlier today.
It's possible, assuming that you never need to use your phone as an MFA method, never need to scan a QR code, or never need to use an app for something because they lack a web version.
-
My company recently required us to have mandatory fun at a baseball stadium. Apparently, Ballpark MLB is the only way to receive tickets and get into the park... I had to sign up for some stupid account and download some stupid app because my company required it.
-
If my employer wants me to use MFA, they can provide me the device.
-
never need to scan a QR code
QR wishes it can someday become as relevant as you're giving it credit for. Haha.
There is Aegis for MFA. It's much nicer than the closed proprietary ones.
Of course, if a job requires something incompatible, then I'll let them buy me a dedicated device.
Some services threaten me with "there's no web version", but they never end up being someome I want to do any business with, anyway. ¯°_o)/¯
But I do want a dumb flip phone again. They were cool.
-
-
I hear you. My wife has also requested that I not deprecate certain proprietary apps until I can provide a good alternative that works on both Android and Apple. Last time was when we were traveling and wanted to share locations with each other in real time. I had to give WhatsApp location perms 🤮
-
Oh, I hear you there. I've had to give persistent location data to GMaps of all things, because she uses Apple and actually wanted me to get one of those devices just for location.
-
-
My wife will hate it, but so be it.
Pretty sure you can build and self-host an SMS-whatever-she-is-using (e.g. Signal, DeltaChat, etc) bridge if somehow SMS isn't enough.
-
Note to self if that were to happen : OSHW SIM modem (or even eSIM) that forwards to whatever (API, email, etc) that then bridges to other networks.
I have a couple of PinePhone I could keep plugged in but otherwise any Android phone where one can load an
.apke.g. Termux could have a hook on SMS then forward accordingly.Edit: quick search, a 4G dongle costs ~20EUR today and for compatibility on e.g. a RPi https://forums.raspberrypi.com/viewtopic.php?t=210724 bother otherwise Ubuntu https://wiki.ubuntu.com/NetworkManager/Hardware/3G and example on Debian https://wiki.friendlyelec.com/wiki/index.php/How_to_use_4G_Module_on_Debian
Edit2: didn't try it but https://alwaysconnected.eu/ proposes 1Gb for 1 year (probably already too much data... since one needs 0 if connected on RPi) for 14EUR and they sell a Huawei (not great but I imagine works well with the card) E3372 (no idea if it works well with Linux) for 60EUR.
-
-
-
DOWN WITH GOOGLE
DOWN WITH GOOGLE
DOWN WITH GOOGLE
...
-
Looks like I'm searching for a device that can run LineageOS, then.
🤗
-
If this comes to pass, f-droid might get closed as the userbase dwindles. Many apps will also cease to be developed and be left without updates. You will not get out with just updating to LineageOS. We should be looking at Linux phones at that point.
-
f-droid might get closed as the userbase dwindles.
Nah. F-Droid is already federation-ready. https://f-droid.org/docs/Installing_the_Server_and_Repo_Tools/
I'll run my own copy of the F-Droid servers, before I bend my knee to Google. So will others.
Edit: But yes, you are correct that Linux phone is the long term solution. Android is a pile of corporate Java. Linux is a lean sleek set of mature highly optimized tools. Once the big show-stoppers are cleared, my Linux phone will be the envy of all who see me use it.
-
Fdroid will not close, it's decentralized. I have my little personal repository with apps I care about. Thousands of people do. Together we have pretty much everything
-
There are other software sources, e.g. I use Obtainium mostly.
-
-
Still using LOS, haven't looked back...
-
Holy crap I got one! So stoked to try it out! I've been seeing all the pixel stuff about it and just assumed it was flagships only, but my $150 unlocked phone is supported! Thank for the push I needed to look it up.
-
I think way forward for me once these restrictions come in place will be to go with custom rom for my main phone, and a cheap stock phone for just apps that aren't custom rom friendly like bank apps. I don't need bank apps on the go, so not really going to need to carry 2 personal phones around.
-
I just got my Moto G 5G 2024 unlocked 😁 Its only like $140
-
This is the same as moto g45 5G i think.Apparently moto g 5G ≠ moto g45 5G.I am considering moto g45 5G at the moment.
I will probably keep my current device for shit apps necessary for banking etc.
I will install LineageOS on moto g45, and it will be for programs that will not have google's approval / F-Droid stuff.
-
-
-
really hope someone finds a way to break google's block on apks that aren't registered. with more and more manufacturers locking down bootloaders, changing roms is no longer an option.
-
The only apps I have installed from the play store are ones that came pre-installed with the phone. The rest are all from f-droid....
LONG LIVE F-DROID ! !
-
I imagine I'm gonna get downvoted for this, but I have no idea what F-Droid is.
-
i don't know why people would but it appears as if they already have. f-droid is a catalogue of FOSS apps for android. sort of like an alternative app "store" (but there is no purchasing).
-
Google fdroid or use chatgpt
-
-
I'm confused by this:
The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users5 will be left adrift, with no means to install — or even update their existing installed — applications.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.
I mean, don't get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don't like, the same way Apple has done in the past. That's not great. But from F-Droid's perspective all of that has happened upstream, they are not anywhere in that loop, unless I've misunderstood the changes.
-
How would this impact F-Droid in any way?
F-Droid itself builds the APKs to ensure that they're reproducible and not signed on a development machine that could be compromised.
https://f-droid.org/en/docs/FAQ_-_General/#is-your-building-and-signing-process-secure
With these changes, either:
- They use Google's developer identity process to sign every APK they build with their own developer identity, which Google is likely not going to allow or is going to quickly find an example of a "malicious" app so they can blacklist all of them; or
- They stop building APKs and just trust the developer provides a non-malicious, pre-verified APK;
- They find a way to mediate the process between the original developer and Google. Knowing Google, they would make it as needlessly painful for everyone involved to discourage and punish alternative app stores.
-
Oooh, gotcha. That makes sense.
I guess it'd make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I'd expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.
Side note, I'm really mad at the very deliberate choice Google made of categorizing all potential apps as either "apps meant for Google Play" or "student or hobbyist apps". You know they know why that's wrong, but it still makes you want to explain it to them.
-
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don't want to provide personal information. This is shitty beyond anything google has done before.
-
"Want" isn't my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.
My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.
That makes sense and it is indeed a dealbreaker. The other thing much less so.
-
-
-
Google can do this for own their own store first. I doubt it will make any difference in the number of malicious and shit apps on that store. Requiring this be mandatory for everyone is clearly malicious.
-
I feel like you don't really know anything about the scam community, but a side loaded app is like 500 times more likely to be malware than a Play store app. The amount of millions that have been stolen from users in India, Mexico, Africa, and Brazil because of sideloaded apps is pretty staggering.
I'm fairly certain fdroid should just be able to alter the way that they're doing things a bit and still exist under the need to obtain a signing cert from Google.
I mean personally I'm not on the same side with this. I would rather Google not do this without some way to disable it via the UI given enough warnings and what not.
-
-
The USA with its corporations setting a new, unbeatable WR in any% glitchless turning into a dictatorship with zero human rights or freedoms.
-
wellp. time to go back to a time where phones were phones and not much more. i don't need a smart phone, i barely wanted one to begin with. i just want a way to talk to people, send sms with a T9 keyboard, listen to preloaded MP3s and maybe play snake.
-
Nokias are back, maybe see if you can get one where you are
-
99 comments
Disclaimer: I have been a maintainer for LineageOS and a long time user.
Whoever advocates for LineageOS don't get it. Using LineageOS will not fix any issue like this.
Already today using LineageOS means give up on banking apps, ID apps, and even McDonald's and some games like Pokemon.
Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.
So no, using LineageOS will soon be possible only with secondary devices and not your primary that you will need for your actual stuff to work.
Counterpoint: I use the McDonald's app where it belongs - on a giant greasy ordering kiosk.
But seriously, banks have websites. Everyone and everything has a website.
I don't need Android apps at the cost of my privacy or at the cost of control of my devices.
I use GrapheneOS as my only phone, and I have done so for years.
Whatever the topic, I don't need an app for that.
I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.
Counter-counterpoint:
Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can't use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.
For McDonald's, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there's a need to install the app
I've never had an issue with the three banking apps I tried on LineageOS, and I didn't even know there was a McDonald's app or pokemon games.
If this list for /e/os roughly applies to LineageOS (with microG), I wouldn't call it "only for secondary devices", more "won't work for some people"
Did I miss something? AFAIK google is requiring devs to ID, not to use SafetyNet or whatever the "only-runs-on-certified-phones" thing is called
Same, my bank also doesn't require strict play integrity. I think I ran into an issue with a dating app once, but that's about it, and that's no real loss.
If my bank would suddenly stop working on Android with microG (with no simple alternative), I'd just switch to another bank, there are enough.
Exactly, trying to find software alternative for what ultimately going to be locked down hardware is never going to be a sustainable solution.
Alternative OS means nothing if there's no widely supported open hardware with unlocked bootloader to run such OS long term, and Google is got all mainstream phone manufactures cornered legally and commercially with this and their requirement for manufecturer authorization for shipping GMS suite with their products.
The only way out is this ridiculous decision of Google getting push backs from legislation, because there's nothing manufecturers can do and without them there's nothing FOSS developers can do to push back long term, and Google isn't stopping themselves from doing Evil™.
Fully agree
I (for the moment) use stock android without a google account without any issues.
Then again i don't use banking apps on a smartphone.
My gov provides ID apps and they work fine - then again, GPS is installed of course.
Fuck McDonnalds.
I'll have to check app support on Linage or PostMarketOS in the near future.
But if I'm already using LineageOS without GApps, this wouldn't make any difference, right?
Edit: Also - thanks for all your work!
And soon you will need a second device with locked down bootloader and play integrity to use mainstream apps.
What when meta will require attestation to run WhatsApp? Not if, when...
Seriously? Open computing is dead to you because you can't order fast food or play games? I don't even have Google Play on this GOS device. And, by the way, my banking app works fine on LineageOS. Not that I need it, since I use a hardware TAN generator.
Would you recommend a B-2 Spirit solution or not yet?
I assume this is the same with GrapheneOS?
My bank app works without issue inside a private space with sandboxed Play services on my main user profile.
I also have an investment app which runs without any issue whatsoever.
Maybe I'm lucky and these Canadian companies just aren't dicks about mandating google.
As far as I'm aware, as of now, graphene does not meet googles attestation (Uncertified Device), because google says so, but is easily more secure.
Google's lockdown has zero to do with security.
I remember when internet banking meant installing some shitty "security" software on Windows before it would let you access the proper page on your browser.